Dan,Is your traffic coming from outside or is the source on the inside? Traffic sourced from the inside will not generate hits on counters in the ACL for return traffic. That ACL will only apply to traffic sourced from the outside.
You can do a 'sho conn detail all' to see all connections through the firewall. Hope thats useful to you. Roger On Tue, Oct 20, 2009 at 10:37 AM, Dan Jianu <[email protected]> wrote: > Hello, > > I run into a strange behavior with access-groups. > Trying to debug an access problem through the ASA I configured a permit all > access list on the outside interface. > > ASA(config)# sh access-list ANY > access-list ANY; 4 elements > access-list ANY line 1 extended permit tcp any any (hitcnt=0) 0xaa048ad9 > access-list ANY line 2 extended permit udp any any (hitcnt=0) 0x494465ab > access-list ANY line 3 extended permit icmp any any (hitcnt=0) 0xffa93494 > access-list ANY line 4 extended permit ip any any (hitcnt=0) 0xd2b64534 > ASA(config)# sh run | in access-group > ASA(config)# access-group ANY in interface outside > ASA(config)# sh run | in access-group > access-group ANY in interface outside > > This is when I noticed that I don't get any hits on the acess-list > counters. If I remove the access-group it displays an error but it looks > like it is removed. > > ASA(config)# no access-group ANY in interface outside > ERROR: Unable to remove access-list ANY from interface outside > ASA(config)# sh run | in access-group > ASA(config)# > > If I reaply the access-group there are no hits still. It must be related to > the access-group removal error. > > Does anybody know what can cause this? > Reload does fix this. > > Thanks, > Dan. > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
